Introduction - Welcome to Armer Funeral Home, Inc | Armer …kavehh.com/my Document/Essex/Digital...

Electronic Signatures

Electronic signatures: how to authenticate contracts by electronic signatures in the UK and Some European Countries and developing Countries.

Abstract:

In this century, Electronic commerce has become an important element for most countries. Many jurisdictions around the world are considering enacting legislation to develop Electronic Commerce. The most important element of e-commerce is contract. How this contract can be made in electronic environment? Signature identified the party and it makes safe and reliable environment for parties to make a contract. It is evidence of the rights and obligations of the parties. In fact, Parties will adopt the content of the contract with signatures. In the Common law, usually signatures are not necessary for a contract to be concluded but what about other jurisdiction? However, in Electronic environment many problems have aroused. What is E-signature and Digital Signature? How to obliged e-contracts with e-signature? How to secure e-signature? Which Contract can be made by Electronic Signature? And what is legal signature requirement for E-signature? Therefore, why is regulation introduced for this aspect of law? Why we need International e-signature harmonization for making contracts? What’s happen if one jurisdiction did not apply e-signatures? What needs to be evidenced of E-signatures?

1


Introduction 4

Manuscript Signature 6

What is Signature for? 8

Identity and Liability, Function of Digital Signature 11

What is Digital Signature? 12

English legal effect of signatures in the law of contract 13

The English statue of frauds .1677 13

Civil law approach 15

What can be signature under English law? 15

Electronic signature Technology. 17

Some formats an electronic signal. 18

Password or personal Identification number ”PIN” 19

Scan of hand written signature. 19

Electronic Pen or Light Pen 20

Click Wrap button (clicking the “I accept” button ) placed on a website.

20

Biometrics 21

Retina scan 21

Iris Scan 23

Face recognition 24

Finger prints and hand prints 25

Voice / Voice Print 27

Vein Patterns 28

Ear Lobes 28

Facial Thermograms 29

Keystroke dynamic 29

DNA matching or DNA fingerprint or DNA typing 29

Biometrics conclusion 30

Encryption 31

Private Key encryption 32

2


Public key encryption 33

The different between Electronic and Digital Signature 34

Digital Signatures: How they work 36

ID Certification 38

CA’s, Certification Authority 41

CA’s License 43

Accreditation 44

Cross_ Certification, What is public key infrastructure 47

Liability of certification Authorities 48

How electronic Signature meet the Law’s functional Requirement

49

UNCITRAL model laws, 50

The European Union: Electronic Signature Directive 55

The Electronic Communication ACT 2000 59

conclusion 61

Bibliography 63

3


Introduction

Internet was invented for military purposes by the United States Department of Defence. However, internet was found useful in academic circles. In 1980’s after the invention of the WORDL WIDE WEB (WWW), internet became a port of commercial activities. At present everyone is able to reach to internet with a modem or recently with a wireless access and benefit from this new phenomenon. Nowadays, people are able to communicate with each other by Usenet user groups, Bulletin boards and more recently chat rooms. Consumers around the world with access to the internet are able to have access to information, goods and services from local and/or overseas suppliers. They can order goods from other countries. Internet opens the new door for both suppliers and consumers.

Electronic commerce has begun a new revolution. It is going to change business of individuals. Besides, there are many reasons that electronic commerce has become important to governments as well as some institutions. “Globalization and the dismantling of trade barriers, the deployment of smart cards, and the internet”1 are some reasons. In 1999, secretary of World Trade Organization predicted that the turnover of global electronic commerce which includes production, Webvertising, sale of goods and distribution of products via electronic network would exceed £150 billion2 The world of E-commerce is expand very fast. It shows global growth of electronic commerce. This new phenomena requires establishment of new trade policy.3

1 Electronic Commerce law and Practice , Third Edition, Michael Chissick and Alistair Kelman , Page1 2 Global Electronic Commerce and the General Agreement on Trade Services: The “Millennium Round” and Beyond, William J.Drake and Kalypso Nicolaidis3 To see more: Electronic Signature law and regulation ”By 2000, some 57 per cent of medium-sized companies in the US were using the Internet for a proportion of their sales and the majority of these were also recruiting employees, procuring supplies and carrying out market research this way.

4


Today, the next generation of e-commerce which is “m-commerce” is coming to the world by which many of applications already in use will be transferred into mobile device such as cell phone and hand held PC. More over, third generation (3G) of mobile services have been invented and network operators are investing on them. As the result, some of the potentials are beginning to be realized. In October 1999 Ericsson introduced the first digital signatures in order to guarantee mobile commerce which was using wireless application protocol (WAP). Moreover, recently many organizations, VISA and MASTERCARD have introduced a Mobile Payment forum, which amongst others addresses issues of card holder authentication. Remote transaction will be used even more in the future.

Electronic commerce has brought many complicated legal issues into the structure of contracts. Location and time of formation of contracts, laws and jurisdictions governing disputes are important issues in International Business Law. All these issues became important when people and small companies became enthusiastic to enter into cross-border transactions around the world.

Under English laws, two different methods have been introduced to the process of offer and acceptance. Under “receipt” rule or delivery rule, offer seems to have been accepted when the buyer receives the seller’s acceptance.4 However, under “postal” rule, this occurs when the seller send his acceptance. It is not clear which of these rules applies on the e-commerce.

4 Entores Ltd v Miles Far East Corp, 1955 2 QB 327 “The rule about instantaneous communications between the parties is different from the rule about the post. The contract is only complete when the acceptance is received by the offeror; and the contract is made at the place where the acceptance is received. Thus, in the case of telex communications, the place where the contract is made is the place where the offeror receives the notification of the acceptance by the offeree. An English company and a Dutch company in Amsterdam concluded a contract by means of the telex system of communication whereby a message can be typed on a teleprinter in one country and be instantly recorded in another. An offer was sent by telex from England offering to pay GBP 239 a ton for 100 tons of Japanese cathodes and accepted by telex from Holland. On the question whether leave should be given to serve notice of the writ out of the jurisdiction, held, the contract was made in England and leave should be given for service out of the jurisdiction.”

5


As it was said above, under English laws, usually signature is not a necessary element for the formation of a contract.5 On the Contrary, many jurisdictions require certain types of contracts, in other word, the formation of contract must be “in writing”. For example in the Civil jurisdiction, signature is a necessary element for formation of a contract. For instance, in France, a contract for the sale of goods worth €800 or more must be signed in order to be legally effective.

Manuscript Signature

Clearly, a traditional manuscript signature is not feasible where the parties communicate via the internet.6

Digital communications technology requires methods of signature which is quite different from the manuscript signature:As Crees Reed argued: “1- The incorporation of a scanned image of a manuscript signature into a word processing file, followed by the sending of that document as an email attachment. 2- The ‘signature’ of an electronic document7 by means of mathematical process (an Electronic signature).These types of signature are effected in ways which are quite different from the affixing of a manuscript signature to a paper document.

5 What is a Signature? Chris Reed, Journal of Information, Law and Technology, 31 October 2000, Page 1Http://elj.warwick.ac.uk/jilt/003-3/reed.html to see more: Electronic Signatures Law and Regulation, Lorna Brazell, First Edition, Sweet & Maxwell , July 2003 , page 26 Internet law , Chrees Reed, text and Materials, 2004, Page 180. it was stated: “the physical world concept of “signature” is the signatory’s name, written in his own hand, on a paper document ( a “manuscript signature”) . This is so universally understood by lawyers and non- lawyers alike that it generally receives no special treatment in legislation or case reports.7 Definition of Document: “ the term ‘Document’ is used here in a very broad sense. The definition in the UK Civil Evidence Act 1995, s 13 of a document as ‘anything in which information of my description is recorded is recorded’ would mean that, for several purposes, a transmission of data would not consist of a document, but rather that the several recording on magnetic media during the transmission process would all be documents ( or perhaps copies of the same document). Many other UK statutory of definition of the Finance Act 1993). For the purposes of this chapter, any discrete set of digital information will be treated as a document provided it performs the essential function of conveying information – See Grant V south western and Country properties Ltd [1975] Ch 185. for a more detailed analysis of the concept of ‘documents and requirements of form ( London: Centre for Commercial Law Studies, 1996 ) Chapter 1.

6


He added: “One solution available to those who wish to use electronic signature is to make provisions in a contract for the acceptability of the signature method.8

Even if the use of the technology does not create what the courts would recognise as a valid signature, in some jurisdictions the contractual term would raise an estoppel in favour of the party seeking to rely on the Electronic Signatures.9

European Commission and the UK Government that decided to develop electronic commerce need to enact a suitable legal framework considering that the existing one does not satisfactorily meet the needs of an online community. The authenticity of electronic contracts is not always clear from legal point of view. Therefore, the proposed law set out to give a consistent legal base to such documents. The UK government is also concerned about the security and other authority obtaining access to the key.10

The parties involved in any commercial activity need to have confidence and trust on each other. Moreover, they may also need to know contracts without their contract is read or changed by a third party.

Secure Electronic signatures on the internet can help parties to get trust. Electronic signatures on electronic contracts or documents can authenticate the originality of a message. Electronic signatures can prove whether the message or the contract has been altered or not.

8 American Bar Association , Model Electronic Data Interchange Trading Partner Agreement ( Chicago : American Bar association , 1990) 1.5: Each party shall adopt as its signature an electronic identification consistent of symbol (s) or code(S) which are to be affixed to or contained in each document transmitted by such party (‘ Signature’). Each party agrees that any signature of such party affixed to be contained in any transmitted Document shall be sufficient to verify such party originated such Document.’9 This estoppel will arise even if the parties know what their agreed electronic signature technology is ineffective as matter of law: “ the full facts may be known to both parties even knowing those facts to the full, they are clearly enough shown to 10 Why use digital signature for electronic commerce? John Angel

7


For centuries paper has been the only means for recording and carrying messages and concluding contracts.11 It has been regarded as a sole and reliable mean for protecting the rights and obligations of the parties.

An important specification of Traditional Signatures is the fact that each person has his/her own unique signature and it is very difficult to manipulate, imitate, reproduce or change traditional signatures. For many years, traditional signature had an important role in commercial world and still it is a means to identify parties on a commercial transaction. Handwriting signatures were strong declaration of intents and as a proof of the parties’ commitments to the transaction.

One of the questions about E-signatures is how to protect contracts.

What is Signature For?

A manuscript signature is accepted without question as legally effective in all jurisdictions around the world, assuming it has not been procured by fraud. It may be asked what legal effects such a signature is going to achieve.

Some primary functions of physical signature are:1. Evidence: Identifying the writer or sender of a document;2. Intention: That the signatory, intended the “signature” to be his

signature; 3. Approval: The signatory approves of and adopts the contest of

the document;4. Ceremony: “As a form of ceremonial act safeguarding against

undue haste or thoughtlessness”12. 13

5. Efficiency: A signature on a document often act as a sense of clarity and finality to the transaction.

11 Dissertation, in pace with the new technologies: electronic and handwritten signatures, a functional equivalent approach that needs international harmonization / Khaldoun Nazer , 200012 To see more: Electronic Signatures Law and Regulation, Lorna Brazell, July 2004, Page 1213 “The act of signing a document calls to the signer’s attention the legal significance of the signer’s act.” Article: “The use and legal recognition of Digital Signatures in Electronic Commerce.” Dilimiti Evangelia , 2001

8


However, a requirement for a signature does not mean that only the hand written signature will be sufficient.14 The assumption is that manuscript signatures are unique and therefore, such a comparison is all that necessary to provide evidence of identity. Intention to sigh is normally presumed as the act of affixing a manuscript signature to a document and it is universally recognised as signing.15 Intention to sign is one of the issues and is disputed where affixing of the signature has been procured by fraud. In such a case the signatory beers the burden of displacing the presumption that he intended to sign. A difficulty arise when the relevant law imposes specific requirements, as to the form the signature must take. In the internet environment the documents to be signed are existed as a matter of metaphysics.16

A mark on a piece of paper or a document has the characteristics of visibility and there is the possibility of physical alteration of the paper which is marked.In an electronic document communicated on the interned, signs are capable of producing documents which exhibit these characteristics.A distinction must be made between physical signature and Electronic Signature and between the information content of a document and the carrier of that information. In the case of physical signature of a paper, mark (ink) is placed on the carrier and adds to information of the paper on the contrary, an Electronic Signature makes no mark at all, it alters

14In Jenkins v. Gaisford & Thring, In the Goods of Jenkins (1863) 3 Sw. & Tr. 93 a testator made his signature on a codicil to a will using an engraved stamp of his signature which had been made because an illness had left him too weak to write. The stamp was applied by a servant in the testator's presence and under his direction. The court held that the codicil was validly signed under the Statute of Wills s. 9 (1 Vict. c. 26) http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2000_3/reed/footnotes/15 See eq L’Estrange v F Graoucob Ltd [1934] 2KB 394 at 403, per scrutton LJ.16 However it is possible for the law to impose “logical” requiments. Since then, the only requirement of form proposal for electronic signatures is that their validity should depend on compliance with particular technical standards. See eg Utal Digital Signature rules ( Rule 154-10 of Utah Commerce, Corporation and commercial code) R 301 (4) (a), German Digital Signature Act ( Signaturgestz) art 14(4), German Digital Signature Ordinance ( Signatureverodung, made under Digital Signature Act 1997, art 19 in force 1 November 1997 and article 16(6)

9


the information content of the documents.17 Changes in a carrier18 are not important. For example, the signatory’s name is added to the document as a code or as a digital image of the manuscript signature. In these kinds of documents, signatures are added as the binary system (a set of 1s and 0s). These can be visible or invisible and can be printed out. But in fact, because the document is made of binary system (byte), contents of document, but not the attached signature, would be visible. Moreover, attaching this type of “signature” to the document makes a physical alteration to the carrier, that alteration takes place at microscopic level.19

In the case law, the bits which make up the document are not modified. For this reason, merely adding a scanned image of a manuscript signature to a document will in many cases not produce an adequate signature. The law define the validity of signature an electronic document may use of mathematical function based on the document data content. The process can meet all the law’s evidential requirements for signatures, but can only considered as a mathematic mark in that.

On-line contracts are a fundamental requirement to the growth of R-commerce on the internet. On-line Electronic contracts involve the exchange of massage between buyers and sellers, structure. According to prearranged format so that the contract are machine processible and automatically give rise to contractual obligation.

In summery, signatures have the following functions: 1. Signature Authentication: a signature should indicate who signed

a document.2. Document Authentication: A signature should identify what is

signed.

17 In internet law (Crees Reed) : stated: there is a question which is asked by those unfamiliar with computer science “can I place the digital document on a floppy disk and sign the disk’s label?” The digital document on the floppy disk can be modified.18 Carrier meant, floppy disk and smart card,19 In the case of magnetic storage media such as disk or tapes, the magnetic polarity of particular areas of the medium is switched by moving electronics into new orbits.

10


Identity and Liability, Function of Digital Signature:

One of the fundamental issues in carrying out contract remotely is how to establish the identity of the other parties. Clearly a transaction with unknown person situated in distant and unfamiliar places involves an increased risk of fraud. In other word, digital signature technology has been developed to address the authentication needs of parties.Today, the most famous solution is use of public key Cryptography20 to create a specific form of electronic signature which is known as Digital Signature.

1- Authentication:The most important function of a digital signature is authentication. Obviously, Digital signature provides even strong authentication than a hand written signature.

One of the fundamental issues in carrying out contract remotely is how to establish the identity of the other parties. Clearly a transaction with unknown person situated in distant and unfamiliar places involves an increased risk of fraud.Today, the most famous solution is use of public key Cryptography21

to create a specific form of electronic signature which is known as Digital Signature.

The terms “authentication” in Oxford English Dictionary has defined as “the development of meaning [of this word] is involved, and influenced by Medieval Latin and French. Senses 3 ['entitled to acceptance or belief as being in accordance with fact; reliable, trustworthy'] and 4 ['original, first-hand, prototypical'] seem to combine the ideas of 'authoritative' and 'original'.”

20 Article 931 “Stipulating a noturial contract”21 Ibid

11


The law dictionaries have various meaning about the definition of Signature. Some provide a definition that is similar to Oxford English Dictionary definition, such as:

“An indication, by sign, mark, or generally by the writing of a name or initials, that a person intends to bind himself to the contents of a Document.”22 Or in Black’s law Dictionary has been defined as:“1. A person's name or mark written by that person or at that person's direction. 2. Commercial law. Any name, mark, or writing used with the intention of authenticating a document.”23

2- Integrity:The other function of digital signature is to ensure integrity. It meant verification of the accuracy of a message on the communication between parties. The recipient of the message can ensure the message has been received without changes. Infract, it prevents a third party from even slightly alteration of the document. The hash function provides integrity.

What is Digital Signature?Digital Signature is a functional subject of the more inclusive term “electronic signature.”

Digital Signature has been defined in ICC’s General Usage For International Digitally Ensured Commerce (GUIDEC) as “a transformation of a message using an asymmetric Cryptosystem such that a person having the ensured message and the ensure’s public key can accurately determine; a) whether the transformation was created using the private key that correspond to the signer’s public key; b) weather the signed message has been altered since the transformation was made.24

22 J E Penner Mozlq & Whitely's Law Dictionary,12th edition, 2001.23 Bryan A Garner Black’s Law Dictionary, 7th Edition, 1999.24 Dissertation: “The use and legal recognition of digital signature in electronic commerce” by Dilimiti Evangelia., 2001

12


A digital signature is created by the signer using a private cryptographic key known only to him or her. It reduces the risk of fraud. It may be read using a separate second key, which is made public.

Digital Signatures have some advantages, including the ability to prove whether or not the message signed has been tempered with since it was signed. However, this system requires some mechanism whereby a public key can be shown to be linked to a particular person, since the key by itself does not evidence anything at all.25

The invention of third party which independently verified the identity of the keys holder and issue and electronic certificate confirming to the rest of the world that a particular key is associated with a particular person. The network of certifying authenticate and associated certificate database or directories is known as a public key infrastructure (PKI)

English Legal Effects of signatures in the law of Contract

Under English law, almost always statutory signature requirement is for a particular document.26

The first statute which required signature was introduced in the 1677 “Statute of Frauds”.

The English Statue of Frauds 1677In the seventeen century because of the legal procedure , the statute of Frauds was introduced. The principal forms included a “covenant” was

25 Internet Law, text and Materials , Chris Reed, 2004, page 18626 A document is defined in the Civil Evidence Act 1995, sectin:13 as: “… anything in which information of any description is recorded, and “copy”, in relation to a document, means anything onto which information recorded in the document has been copied, by whatever means and whether directly or indirect.”And ,the Civil Procedure Rules 1999 also provide a meaning of a document in Part 31, as:“…anythng in which information of any description is recorded”

13


introduced, which is a written sealed document and also and action by “wager of law” (a method of proof using numerous witnesses under oath.) Without a “covenant” it would be very difficult to enforce contracts.The majority of statute relates to protecting interests in property generally, and the provisions relating to contracts, section 4 and 17. These section are stated: “No action shall be brought whereby to charge any executor or administrator upon any special promise to answer damages out of his own estate; or whereby to charge the defendant upon any special promise to answer for the debt, default or miscarriage of another person; or to charge any person upon any agreement made upon consideration of marriage; or upon any contract or sale of lands, tenements or hereditaments, or any interest in or concerning them; or upon any agreement that is not to be performed within the space of one year from the making thereof; unless the agreement upon which action shall be brought, or some memorandum or note thereof, shall be in writing and signed by the part t o be charged therewith or some other person thereunto by him lawfully authorized.”

In 1954 the majority of section 4 was repealed, although the phrase reading: “any special promise to answer for the debt, default or miscarriage of another person” remains.27

Section 17 also replaced in 195428, and it adds one category for formation of contract. It was stated: “"No contract for the sale of goods, wares or merchandises for the price of £10 sterling or upwards shall be allowed to be good except the buyer shall accept part of the goods so sold and actually receive the same, or give something in earnest to bind the bargain or in part payment, or that some note or memorandum in writing of the said bargain be made and signed by the parties to be charged by such contract or their agents thereunto lawfully authorized.”

27 A decision of the House of Lords on its application was handed down as recently as April 2003: Actionstrength Ltd v International Glass Engineering 1n.Gl.En. 28 It was replaced in 1893 by s.4 of the Sale of Goods Act.

14


Civil Law Approach:

In civil law system signature is required. French has a system of evidence rule which says that: “"no proof by witnesses against or beyond the contents of instruments [not] as to what is alleged to have been said previously, at the time of or since they were made shall be allowed.”29

What can be signature under English Law?

The first case law concerning what can be signature can be found on nineteen century. Most of these cases were concerning the “execution of the will.” English wills are governed by the Wills Act 1837. The first English judge admit signature mark (stamp) was Sir Cresswell in deciding Jenkins v Gaisford b Thring, an 1863 case under the Wills Act 1837. This case concerned the estate of the Mr. Jenkins who, was sick as a result he had had a stamp. He used this for signing documents in his later years. On this case Sir Cresswell stated: “The word 'signed' must have the same meaning whether the signature is made by the testator himself or by some other person in his presence and by his direction. Whether the mark was made by a pen or by some other instrument cannot make any difference, neither can it in reason make a difference that a facsimile of the whole name was impressed on the will instead of a mere mark or X.” He conclude that if the stamp had been applied be by testator, the result would be valid signature.30

In Goodman v J Eban Ltd31, a case concerning the requirements of section 65 of the Solicitors' Act 193232. This case was about a bill delivered by a solicitor to a client to be signed. The general principal was expressed:- Lord Evershed M.R. Stated: “the essential requirement of signing is the affixing, either by writing with a pen or pencil or by otherwise impressing on the document, one’s name or “signature” so as 29 But this rule itself is no longer applied in commercial transaction 30 The same issue in this case: Bennett v Brumfitt; 1867 L.R. 3 C.P. 28.31 [I954] Q.B. 550.32 See book: Electronic Signatures law and Regulation , Lorna Brazell, 2003, Page 19.

15


to personally authenticate the document.”33 The conclusion of Lord Evershed M.R. in Goodman relied upon Oxford English Dictionary definition which signature as “defined merely requires the placing of a distinguishing mark upon a (thing or person).”34 He concerned signature should be a writing or at the least a mark made by the hand of the signatory. He explained his position on this ground which: “lies in the fact that no two persons write exactly alike, and so it carries on the face of it a guarantee that the person who signs has given his personal attention to the document. A rubber stamp carries with it no such guarantee because it can be affixed by anyone. The affixing of it depends on the internal office arrangements with which the recipient has nothing to do. This is such common knowledge that a 'rubber stamp' is contemptuously used to denote the thoughtless impress of an automaton, in contrast to the reasoned attention of a sensible person.” 35

With no doubt on his opinion a typewritten or printed Name would no be concerned as a signature.

In Newborne v Sensolid (Great Britain) Limited concerned a contract made by a company. The contract had the name of the company and below this was the manuscript signature of Mr. Newborn. There was an issue which whether the typewritten name of the company was a valid signature or not. A printed signature under the Public Health Act 1875 had applied . In fact, it was never decided on this case whether the printed signature is valid but, generally on this case the printed signature was supported to be valid.

In 1995, the first case about electronic signature was decided. The case of “Re a debtor (no. 2021 of 1995 Ex p. Inland Revenue Commissioners, was about the signature that came from fax machine) Laddie J. (please check the name) about case said that the purpose of signing was to authenticate the document.36

33 Ibid 2334 Ibid 2435 Ibid36 [I996]2 All E.R. 345.

16


Electronic Signature Technology:

Electronic Signature technology was developed to define the authentication needs of companies and consumers as they engage in on-line transaction, allowing parties to authenticate their electronic documents in the network or on the internet to reduce for the lake of printed document. “The term “Authenticate” refers to a large class of electronic applications whose function may range from pure identification and authorization to legal recognition.”37 Referring to specific authentication techniques the terms “Electronic Signature” and “Digital Signature” are after use interchangeability. In fact ,An electronic signature is produced by process of mathematical function on the document which identified the signatory and authenticated the content of the document.

The definition of "electronic signature" in the Electronic Signatures Directive is: “‘electronic signature’ means data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication”38

This definition is very similar to many definitions which adopted in other jurisdiction around the world. It requires two kinds of criteria: 1- there must be some form of attachment that is the data which are being signed, and 2- the signature data must serve as a method of authentication.

In the Directive the definition of “attached to” is not clearly defined. The attached signature can be defined as a scanned image of a manuscript signature into a word processing file. Moreover, the electronic signature authenticated the electronic document are not attached to the remainder of the document in any physical sense.

37 Internet Law, text and Materials , Chris Reed, 2004 , page 18638 DIRECTIVE 1999/93/EC , framework for electronic signatures, Article 2, Definitions

17


According to the definition provided by the UNCITRAL Model Law on Electronic Signatures, article 2 definitions:

“For the purposes of this Law:(a) “Electronic signature” means data in electronic form in, affixed to or logically associated with, a data message, which may be used to identify the signatory in relation to the data message and to indicate the signatory’s approval of the information contained in the data message.”39

More over, Section 8, Singapore Electronic transactions Act has defined Electronic signatures as:

1. Where a rule of law requires a signature, or provides for certain consequences if a document is not signed, an electronic signature40 satisfies that rule of law.

2. An electronic signature may be proved in any manner, including by showing that a procedure existed by which it is necessary for a party, in order to proceed further with a transaction, to have executed a symbol or security procedure for the purpose of verifying that an electronic record is that of such party.

These definition are appropriately technologically neutral, they do not specify a particular type of technology that must be used41. As a result, Electronic signatures can be facsimile signature, digital signature, smart card, or any other methods. However, an important fact among electronic methods is the level of security.

Some Formats of an Electronic Signature Technology

Some issues are important to be answered from legal point of view such as: what kind of authentication technologies exist? Which

39 UNCITAL Model Law on Electronic Signatures 2001 and Guide to Enactment, United Nations, 30 January 2001 / 38th NY 12-23/3/2001, Article 2. 40 It is defined in section 2 of Singapore Electronic Transactions Act 1998, as: electronic signature" means any letters, characters, numbers or other symbols in digital form attached to or logically associated with an electronic record, and executed or adopted with the intention of authenticating or approving the electronic record.41 The use and legal recognition of digital signature in electronic commerce” by Dilimiti Evangelia., 2001

18


signature can be used? And can be electronic signature be qualified as a signature under the law?Some jurisdictions accept to use special category of electronic signature, for example public key cryptography.

Password or Personal Identification Number “PIN”A more secure option for signatory to type a password as personal identification umbers (PIN) at the end of the documents or for bank transactions, for example in the United Kingdom, for credit card transaction traditionally, the customer signing a receipt so, the shopkeeper can check the signature on the back of the customer’s credit card. However, this system has been replaced by the system where the customers have to their Personal Identification Number (PIN) which is provided by card issuer.

There are some advantages for password or PIN in comparison with writing signature. Unlike a writing signature which is published in public, the password or PIN could be kept secret by encryption, and no one else knows about the password or “PIN”. However, in the password and PIN system, there is the risk of being discovered by another person and once the password or PIN is discovered, the finder can use that credit card.

“PIN” should ideally contain both letters and numbers and be long enough to make guessing the PIN impractical. However, long PIN makes harder for the signatory to remember it. 98 characters are consisting random (what do you mean)of characters and numbers which no one would be able to remember. Users would write it down, thus, the PIN become insecure.

Scan of hand written signature: Signing a piece of paper by using a pen and then scan it and convert it to data which has capable of attachment to a document is a further alternative way. This Electronic Signature could be attached to the document. On this method every one can use it to signing his or her name. Lorna Brazell argued: “The traditional method of signing means

19


that the attention of signatory is focused on the significance of their act in the same way as when executing appear document.”42

One of the disadvantage if electronic image signature is, once the signature exist, it is very easy to copy, and also, a hand written signature can be forged. It is extremely easy for some one to copy that electronic signature, “ even if an image scan does not exist of particular’s individual’s signature, a would be forger could obtain a copy of the subject’s handwritten signature from another paper document, scan it and paste it of as if the subject has performed the scan themselves43.”

Taking into consideration this weakness, it is highly unlikely that this method can be commonly used as a means of electronic signature.

Electronic Pen or Light Pen

Another method is using a light pen to draw an electronic image. In this method like the scan of hand written signature has the same weakness.

Click warp Button (Clicking the “I accept” button placed on a website

This method is currently available on the internet. For instance, in the e-commerce website, customers required to indicate acceptance of terms and condition by clicking in “I accept” or “I agree” button. In these method, the click on “I accept” button generate binary digit of information which is attached to document or transaction.However, this method is satisfying the electronic signature’s directive definition of an Electronic signature.The button click is an acceptance, and likely to be enforceable in most jurisdictions as a signature.

42 Electronic Signatures law and Regulation , Lorna Brazell, 200343 Ibid Page 38

20


Biometrics Biometrics is the science and technology of authentication by measuring the subject person’s physiological or behavioral futures. Biometrics usually refers to technologies for measuring and analyzing human physiological characteristics such as fingerprints, eye retinas scanning, irises scanning, voice patterns, facial patterns, especially for authentication purpose. However, Biometrics are problematic because human body varies, also illness and age can affect biometric test.Obviously, digitized biometric data which are attached to a file a means of authentication is satisfy the defection of Digital signature in the Electronic Signature Directive. As it was said above, digitized biometric data are attached to a file hence, some system is necessary to prevent from unauthorized copy.Where biometric digital signature is used as an electronic signature a method needed that the recipient of the document can check that the electronic signature is for a particular individual, such as a third party which has a central data base of biometric data. In this section I will explian some Biometrics authentication which is existed:

Retina Scan:

This information might take the form of: 1. An encryption key, a large binary number of 56 or more digits,

Because humans can not easily remember such numbers, nor key them in accurately , the encryption key will normally be stored on an information storage device such as a smart card, a memory stick or the hard disk of the signatory’s computer.

2. Biometric data, such as signatory’s fingerprint, Retina scanning or iris scanning.44

The retina is a thin layer of cells at the back of the eyeball of vertebrates and some cephalopods; it is the part of the eye which converts light into nervous signals.45

44 Internet Law Text and Materials, Second Edition Chris Reed, 2004 , Cambridge, page 14545 http://www.britannica.com/eb/article-9063313?query=retina&ct=

21


46

It has been known as the “retinal vascular pattern” since 1930s that human being has a unique pattern of blood vessels.47

No two retinal vascular patterns are the same, hence, they provide a means of reliable personal identification. Moreover, the pattern of retinal blood vessels changes very little.

48

For scanning a retina, use a camera to look through the “pupil” and scan the user’s retina which is takes around 10 seconds.49 Retina scan 46 http://en.wikipedia.org/wiki/Retina47 Electronic Signatures law and Regulation , Lorna Brazell, 2003, Page 4148 Ibid49 Ibid.

22


has been improved so that it can identify which users can be scaned from the distance and which are not affected by the subject of wearing contact lenses.

Iris Scan

An iris scan is one of the most currently used methods of biometric authentication. Using a small camera, an iris scan system examines both irises of the individual's eyes. It then takes advantage of small details in the iris stromal pattern in order to attempt positive identification of an individual.

50

The texture of the iris arise form “complex fibrous structure known as the trabecular meshwork , which forms during the latter stages of gestation and all but finishes developing prior to birth. Its function is to drain the aqueous humor from the eye.”51 Iris in each person is unique, even between identical twins, and the patterns in the iris do not change.52 50 http://www.cl.cam.ac.uk/users/jgd1000/sampleiris.jpg51 Electronic Signatures law and Regulation , Lorna Brazell, 2003, Page 4252 "Biometric-Advanced Identity Verification", Julian Ashbourn (2000), p. 52, Springer-Verlag London Ltd.

23


A camera will capture an image of the iris of users who place themselves in front of the devices. Some techniques will omit the image of some part of eye such as eye lashes and pupil. Signal processing techniques53 are applied to iris image to encode data. The users may use iris scanning device up to two feet away.

It is understood that iris scanning is accurate biometric method. Neither contact lenses nor any wearing spectacles can affect the iris scanning device.

Face Recognition:

Facial recognition system is the primary means which human can identify one person from another, hence photographs of people appear on many documents such as passport. Computer system has been developed to help specialists to identify people from their facial photograph. In other word, a facial recognition system is a computer-driven application for automatically identifying a person from a digital image. These systems typically work with capturing an image of a person’s face and search it on a database.One of the strongest advantages of facial recognition is that it can be applied from a distance without requiring the subjects to wait for a long time or even without noticing them. However as Lorna Brazell argued: “Many people have expressed civil liberties concerns over the potential use of facial recognition cameras placed inconspicuously or surreptitiously, and this raises a concern as to whether a person's facial recognition-based electronic signature could be captured from them without their consent or knowledge.”54

53 Gabor Filters54 Electronic Signatures law and Regulation , Lorna Brazell, 2003, Page 44

24


Face Recognition55

Fingerprints and Handprints

Since then one of the most useful and successful biometric products is fingerprints. As Anderson stated in his book, more than 70 per cent of fingerprint products have been sailed for biometric technology.56

Fingerprints “afford an infallible”57 means of personal identification, because the ridge arrangement on every finger of every human being is unique and does not alter with growth or age. Moreover, if a finger is damaged, it will normally heal in such a way that the fingerprint is restored. For this reason, a person's fingerprint can be used as a method to identify people.

55 http://bias.csr.unibo.it/research/biolab/bio_tree.html56 R. Anderson, "Security Engineering", (2001) John Wiley & Sons, Inc. p. 265.57 http://www.britannica.com/eb/article-9034291?query=fingerprint&ct=

25


Fingerprint is an imprint made by the pattern ridges on the ends of the fingers and thumbs.58 There are three basic fingerprint patterns: Arch, Loop and Whorl.

Fingerprints can be accomplished be a scanner. Recently IBM Co, has installed a fingerprint scanner to their laptop products which define their owners. Modern scanner is a very small device which can be attached to a computer or integrated into a keyboard. They are very easy to use, hence their common use as a means of providing electronic signatures.

59

Hand/finger geometry

Unlike fingerprints, the human hand isn't unique. One can use finger length, thickness, shape, size and other details and curvature for the purposes of verification but not for identification. 60 The of this method

58 http://www.britannica.com/eb/article-9034291?query=fingerprint&ct= and http://en.wikipedia.org/wiki/Fingerprint59 www.finger-scan.com60 http://biometrics.cse.msu.edu/hand_geometry.html By Arun Ross and Anil Jain

26


is that hand geometry data is easier to collect and furthermore, hand geometry can be combined with other biometrics, such as fingerprint. The system consists of an acquisition device that captures the top view and side view of a user's right hand as he places it on the flat surface of the device. This system makes three-dimensional information based on the hand’s geometry.

Hand Geometry 61

As it was said above the human hand is not unique. The question remains that whether the data which are produced by hand is suitable for being used as an electronic signature.Moreover, another disadvantage of hand geometry is the large size of device in comparison with finger print device or iris scanning device and also , data may be affected by injuries or if the jewelry is worn.

Voice / Voice Print

A voice biometric is a numerical model of the qualities of a person sound, pattern and rhythm of an individual’s voice. A voice biometric or "voice print", is unique like a finger or palm print. Lorna Brazell has written: “Voice biometric products analyze the waveform dynamics of 61 http://bias.csr.unibo.it/research/biolab/bio_tree.html

27


a short utterance by the subject which result from such features as the length of the vocal tract and the shape of the mouth and nasal cavities, together with regional accents and affectations.” The sound signal then converts to data for electronic signature.Voice biometric devices are easy to use and users feel more comfortable to use microphone than looking in to the iris scanning device.If the user suffers from cold or laryngitis or any other disease which change his voice, he has a problem with electronic signatures as the result of his voice. Furthermore, the voice of human changes over time, which affects the voice biometric device. Consequently, it may limit the useful of this technology for making electronic signatures.

Vein PatternsFast and accurate and robust personal identification is an increasingly important issue. Recent method of biometric has been discovered, which is analysis of vein pattern for purpose of identification. It is understood that the vein pattern in human hands are unique and do not change over the life-time. The devices using vein pattern biometrics are typically hand based and they use infra-red to scan the vein pattern in a person’s hand. These devices have just come to commercial market. Still it is too soon to say that these devices are suitable for electronic signatures. However, Companies integrated these devices into the mouse or keyboard which can scan the pattern of blood veins in the person's palm. 62

Ear LobesThe external part of the ear is using as a biometric identifier. It is based on the distinctive shape of each person’s ears and the structure of the largely cartilaginous, projecting portion of the outer ear.

Facial Thermograms63

62 Fujitsu Laboratories Ltd. today announced the development of highly precise biometric authentication technology that can verify a person's identity by recognizing the pattern of blood veins in the person's palm. http://pr.fujitsu.com/en/news/2002/08/28.html63 Biometric recognition: techniques, applications and challenges , Anil K. Jain, Arun Ross,

28


The human face can provide physiologic indicators of underlying health or disease or it can use for purpose of biometric identifier. An infrared camera is used to capture an image of the face. The camera detect heat pattern which created by the face vessels.

Keystroke dynamicsKeystroke dynamics is the process of analyzing the way users type by monitoring password and keyboard inputs and authenticating them based on habitual patterns in their typing rhythm.The problem with keystroke recognition is that “there are no known features or feature transformations which are dedicated solely to carrying discriminating information.”64 Net Nanny Software Inc has developed software for identifying and authenticating passwords typed on a normal computer keyboard which is incorporated in their program “BioPassword”. On this software the user provides a series of typing samples to learn the software to provide their unique typing rhythm.65

DNA matching or DNA fingerprinting or DNA typing One of the most important solutions to identify an individual is matching DNA samples. The technique was developed in 1984 by the British geneticist Alec Jeffreys at the University of Leicester.66 The process of taking this test takes some days or weeks. Two humans will have the vast majority of their DNA sequence in common.67 DNA typing test arises some issues such as privacy, the data collect from this test can be used not only to identify an individuals but also some information about his body.

64 Keystroke Dynamics as a Biometric for Authentication, Fabian Monrose, Courant Institute of Mathematical Sciences, New York University, New York, NY., and Aviel D. Rubin, AT&T Labs - Research, http://www.cs.jhu.edu/~fabian/papers/fgcs.pdf and see http://et.wcu.edu/aidc/BioWebPages/Biometrics_Keystroke.html65 Electronic Signatures law and Regulation , Lorna Brazell, 2003, Page 4866 http://www.britannica.com/eb/article-9030731?query=DNA%20matching&ct= and http://en.wikipedia.org/wiki/DNA_typing67 http://en.wikipedia.org/wiki/DNA_typing

29


Biometrics Conclusion:Most of these biometric technologies can produce advance electronic signatory and they can satisfy the Electronic Signatures Directive. Clearly, some of them are not suited for creating electronic signatures such as DNA typing.In practical, the usage of biometric may be limited by:

1. “Rejection due to personal reasons; 2. Cultural incompatibility;3. Absence of the respective biometric;4. Insufficiently unique characteristics of the respective biometric

feature;5. Abnormal characteristics of the respective biometric feature.”68

For most of the business transaction, biometric method provides a quick and safe and easy means to create an electronic signature. The recipient of such data can be confident that document truly formed by signatory.As I said above, Several different methods exist to sign documents electronically. These electronic signatures vary from very simple methods such as a scanned image of handwritten signature in a word processing document to advanced methods which is fingerprint scanning or any other biometric methods.A question for using biometric method is how and where data of signatory will store for having securely verification. In order to enforce the signatory’s legal obligations, the recipient of the document needs to prove the signature, he will do so by producing the extrinsic evidence data:

1. The signature key or biometric data did in fact originate form the purported signatory.

2. The linking of the information to the document could not have been affected by a third party.69

68 Electronic Signatures law and Regulation , Lorna Brazell, 2003, Page 49 and "Use of Biometrics for User Verification in Electronic Signature Smartcards", B Sturif 2000. In Smart Card Programming and Security-Proceedings of the International Conference on Research in Smart Cards (Esmart) (Cannes, France, September 2001), pp. 220-228.

69 Internet Law Text and Materials, Second Edition Chris Reed, 2004 , Cambridge, page 145

30


The solution is likely to be combination of biometric systems with digital signature. However, the signature key or biometric data needs to be kept secret , to prevent third parties from affecting the messages which are apparently signed by the signatory.

EncryptionDigital signatures are the most effective means and workable means of establishing the level of the trust required between parties to business transaction. They are provided by “public key” cryptography.

“Cryptography” means hidden writing and the art and science of hiding the meaning of a communication from unintended recipients and also the science of transforming readable text into cipher text and back again. Lorna Brazell stated: “cryptography is not the only means of securing the confidentiality of data or messages. Steganography involves hiding not just the contents of the message, but the fact that there is a message at all.”70

Cryptography is art which is going to back thousands of years ago. Since now there are hundreds if different enciphering method has been know and the only secure encryption method is known with the invention of the computer. The method is really very simple. Sender and receiver of the message both have a key which tells them, for each letter of the message , how to translate it.

Cryptography is an important instrument for achieving secure electronic signatures. There are a number of ways that cryptography can work in an electronic environment.The two common forms of cryptography are private key encryption and public key encryption which they have known as symmetric and asymmetric encryption method. In both of them a complex series of rules is applied to produce the cipher.71

70 Electronic Signatures law and Regulation , Lorna Brazell, 2003, Page 49

31


The basic nature of encryption in both models is that the author of an electronic document can sign his electronic document by using a secret cryptography key. In each method, “the algorithm calculates the transposition of each letter of the plaintext based upon a number which is called the key.”72

The biometric data needs to be kept secret, to prevent third parties from producing message which are signed by the signatory, the signature information is attached to the message by means of asymmetric cryptography which use public and private key.

Private Key encryption: 73

Private Key encryption was the only available option prior to the advent of Public Key encryption in 1976. In private key encryption, both parties use the same key to encrypt and to decrypt messages. It is necessary for both sides to know and agree the key in advance hence, when using this form of encryption, it is essential that the sender and receiver have a way to exchange secret keys in a secure manner.

If someone knows the secret key and can figure out, communications will be insecure and this means that all subsequent encrypted messages could be read.74

There are two methods of breaking symmetric75 encryption. The risk of loss of key which means all the encrypted messages could be read and they key can be bused for one exchange of message.

The most commonly used private key encryption is the Data Encryption Standard (DES). DES is highly complicated of encryption

71 Angel J, “Why use Digital Signatures for Electronic Commerce?”, 1999 (2) The Journal of Information, Law and Technology (JILT). http://www.law.warwick.ac.uk/jilt/99-2/angel.html72 Electronic Signatures law and Regulation , Lorna Brazell, 2003, Page 4973 To see more , Electronic signatures Authentication Technology from a Legal Perspective, M.H.M. Schellekens, Cambridge University, Page 2074 Ibid75 Private key or single key

32


which is effected hardware , however, it requires a key (56-bit ) which is common to sender and receiver and is secret form all others.76

Public key encryption77

Public key is more secure than private key which it does not have the weakness of private key. The secret keys do not have to be transmitted or revealed to anyone thus, here is no need for one party to know the other’s private key in order to exchange encryption message. On this method, encrypting is very easy but decrypting without the key is extremely difficult, hence cracking the public key encryption may take a couple of weeks.Public key encryption uses two keys, each of them decrypts the document and encrypted by the other key. It means that, one of them can always be kept secret and the other is made public.

The public key can be used by anyone to encrypt a message. Only the owner of the secret key can decrypt the message. The message can be decrypted using one key and can then encrypted using the other. The keys are generated from using a large number. Thus, if two parties want to send information to each other, they exchange their public keys. The public keys could also be retrieved from a database which is open to the public.One of the best known public key encryption method is RSA which is as follows:When A sends to B a message, A encrypt the message using the public key of B. Only B can decipher the message using his secret key.

This means that A can encode a message with his own secret key, which B can decode by using the public key of A. This seems that with this method everybody has access to the public key of A and can decrypt and read the message. This is true. On the other hand, B can be sure that the message can only originate from A, since he is the only one who knows the secret key. Without having contacted A before, B 76 To see more : ? Internet Law Text and Materials, Second Edition Chris Reed, 2004 , Cambridge, page 18577 American Bar Association Digital Signature Guidelines, Page 15

33


can trust on the authenticity of a message. It is on this technology of sharing a public key that digital signatures are based. The keys can be generated by the user himself by running specific cryptography software.

The recipient of the message can check the identity of the author by decrypting the information with a public key of the presumed author

Messages signed with the private key can be validated with the public key, but the public key can not be used to create a signature for a new message. However, in order to check the validity of an electronic signature, the recipient’s needs to know both the public key of the signatory and the encryption system used to form the signature.

All Encryption can be broken in sufficient time. Chris Reed argued: “The effectiveness of encryption as method of signing electronic documents relies on the fact that it is computationally infeasible to break the encryption method, thus become able to forge the signature, within a reasonable period of time.”78

The difference between Electronic and Digital Signatures

The terms of “Electronic signature” and “Digital Signature” are used interchangeably79.

78 Internet Law Text and Materials, Second Edition Chris Reed, 2004 , Cambridge, page 185Computational infeasibility means that although the message can be in theory decoded, the amount of time this would take is so large that for practical purposes the encryption can be regarded as secure.79 Stephen Mason referred: “This is also pointed out in para 2.2 of the Final Report of the EESSI Expert Team 20 July 1999 European Electronic Signature Standardization Initiative, available from http://www.ict.etsi.org/essi/Final-Reportdoc; also see GUIDEC I1 'General Usage for International Digitally Ensured Commerce' for further discussion of terms, available at http://www.iccwbo.org/home/guidec/guidec_two/foreword.asp (viewed on 29 November 2001). GUIDEC I1 does not use the term 'electronic signature' but 'digital signature', thus adding to the confusion.In addition, the Draft Guide to Enactment of the UNCITRAL Model Law on Electronic Signatures, dated 12-23 March 2001 (A/CN.9/WG.IV/WP.88) also appears to refer to digital

34


Electronic SignatureThe term electronic signature is anything in electronic for which can be used to create signature which have legal effect.80 An electronic signature refers to the concept of authentication when define in legislation. As such a “digital signature” is the specific use of public key techniques.81

Digital Signature:

The American Bar Association has introduced a definition for Digital Signature which is: “ A transformation of a message using an asymmetric cryptosystem and a hash function82 such that a person having the initial message and the signers public key can accurately determine:(1) Whether the transformation was created using the private key that corresponds to the signers public key, and(2) Whether the initial message has been altered since the transformation was made.”83

A digital signature is based on asymmetric or public cryptography. The digital signature can provide higher degree of certainty for the party to rely on.signatures and electronic signatures interchangeably: see para 3 1-62, available from http://www.uncitral.org/english/sessions/wgecldig- sign-bckdocs/index.htm (viewed on 20 July 2001). Electronic Signatures in Law, Stephen Mason , 2004 , Lexis Nexis Uk, 2004, Page 10080 Electronic Signatures in Law, Stephen Mason , 2004 , Lexis Nexis Uk, 2004, Page 10181 Carlisle Adams, Steve Lloyd, Understanding PKI concepts, Standards, and Deployment, Considerations (2nd, 2002), page 185.82 Hash Function is used to creating and verifying a digital signature. A hash function is an algorithm which make digital representation or “finger Print” in the for of a “hash value” or “hash result”. Accordingly, American Bar Association “Digital Signature Guidelines” In page 11 has been stated: “termed a "hash function" in computer jargon, is used in both creating and verifying a digital signature. A hash function creates in effect a digital freeze frame of the message, a code usually much smaller than the message but nevertheless unique to it. If the message changes, the hash result of the message will invariably be different. Hash functions enable the software for creating digital signatures to operate on smaller and predictable amounts of data, while still providing a strong evidentiary correlation to the original message content.” 83 American Bar Association “Digital Signature Guidelines”, paragraph 1.1 1.

35


Digital signatures: how they work

A digital Signature created from data which is using signer’s private key. In signing a message to B, A would use his key to produce the signature. A would use it on a document to encrypt signature. This encryption of data is known as the “message digest”. A message digest is like the fingerprint of the message. It is calculated from the message which is a long string of data which at a binary level is a single number. “84Taking that number, the computer uses a message digest or hash85

function to calculate a shorter string, analogous to a fingerprint of the original, which nevertheless still represents the entire data string.”

The message digest is different every time and dependent upon what message A is sending B. The digital signature is the message digest encrypted using A's private key. As a result, the digital signature has two characteristics:

1. It is unique to the subscriber, like handwritten signature.2. It is different every time because it depends upon the message.

As a result, digital signature has some unique qualities. It cannot be copied. Since the digital signature has cut from the text and past into another message, it will be incorrect. The recipient of message can check it, hence If the two message digests are not then same, recipient can understand that the message does not in fact originate from sender, and also, the message has been changed in transit.

84 Electronic Signatures law and Regulation , Lorna Brazell, 2003, Page 5285 Hash Function: American Bar Association “Digital Signature Guidelines” In page 11 has been stated: “termed a "hash function" in computer jargon, is used in both creating and verifying a digital signature. A hash function creates in effect a digital freeze frame of the message, a code usually much smaller than the message but nevertheless unique to it. If the message changes, the hash result of the message will invariably be different. Hash functions enable the software for creating digital signatures to operate on smaller and predictable amounts of data, while still providing a strong evidentiary correlation to the original message content.”

36


Moreover, In American Bar Association guideline, it was stated: “The processes of creating a digital signature and verifying it accomplish the essential effects desired of a signature:

Signer authentication: If a public and private key pair is associated with an identified signer as described below, a digital signature by the private key effectively identifies the signer with the message. The digital signature cannot be forged by a person other than the proper signer, unless the proper signer loses control of the private key, such as by divulging it or losing a computer-readable card and its associated personal identification number (PIN) or pass phrase.

Message authentication: The process of digitally signing also identifies the matter to be signed, typically with far greater certainty and precision than paper signatures. Verification also reveals any tampering with the message, since processing the hash results (one made at signing and the other made at verifying) discloses whether the message is the same as when signed.

Affirmative act: Creating a digital signature requires the signer to provide her private key and invoke a software function to create a digital signature. This act can be the basis of a ceremony and can be used in staging the completion of a transaction.

Efficiency: The processes of creating and verifying a digital signature provide a high level of assurance that the digital signature is genuinely the signer's and are almost entirely automated or capable of automation. They can be set up to run with great speed and accuracy, with human interaction only for non-routine processing decisions. Compared to paper methods such as checking bank signature cards, methods so impracticable that they are rarely actually used, digital signatures yield a high degree of assurance without adding greatly to the resources required for processing.”86

86 Ibid , Page 12.

37


Advantage if Digital Signatures:Obviously, a digital signature is different from handwritten signature. Digital Signature can be used to check the entire of data which transmitted or stored. The recipient of data can check the data by decrypted using the archivist’s public key, and the he can compare the original message with ht current message. However, There may be no way for the finder of an electronic document to find out what changes have been made; but at least they will know that the document is not to be trusted.87

The other advantage of digital signature is establishing the time of creation of a message or document.

The signature is not uniquely linked to the signatory. It is only linked o the signatory private key. For example, if some one knows about the A’s key, the recipient of Digital signature can not be sure about that A’s has indented to sign that document. Accordingly, biometric method can create a secure mechanism to restrict access to private key.

ID Certification

A famous cartoon from the New York has shown one of the best known features of the internet. On the internet in a communication, the sender of a message can not be presumed to be who he says he is , nor can the sender always be sure of the recipient’s true identity.

87 Ibid

38


”On the internet, nobody knows you're a dog”88

For most transactions, if the sender of the message is known there is no problem. However, If it is being dealt with some one for the first time, establishing of the sender identity may necessary before continuing any transaction. This can be particularly important where the dealings have legal consequences. As a result: “Identification is a fundamental legal prerequisite to imposing liability on persons for their actions and transactions.”89

In the physical world, the notary or the official officer can check the identity of the signatory against identifying documents such as passport or any other official document and can verified the signature against the signature which is given on that document. However the situation is different on the internet.

A mechanism is required to establish each party’s identity to satisfy each other, for this reason, electronic signatures laws, where the provision on identity in electronic dealings are found, make specific rules for identification.Under UNCTRAL, article 6 provides how an electronic signature or a method complies with a signature requirement, it is stated:

88 Cartoon by Peter Steiner. The New Yorker, July 5, 1993 issue (Vol.69 (LXIX) no. 20) page 6189 Internet law , Chrees Reed, text and Materials, 2004, Page 144

39


“1. Where the law requires a signature of a person, that requirement is met in relation to a data message if an electronic signature is used that is as reliable as was appropriate for the purpose for which the data message was generated or communicated, in the light of all the circumstances, including any relevant agreement. 2. Paragraph 1 applies whether the requirement referred to therein is in the form of an obligation or whether the law simply provides consequences for the absence of a signature.3. An electronic signature is considered to be reliable for the purpose of satisfying the requirement referred to in paragraph 1 if:

a. The signature creation data are, within the context in which they are used, linked to the signatory and to no other person;b. The signature creation data were, at the time of signing, under the control of the signatory and of no other person; c. Any alteration to the electronic signature, made after the time of signing, is detectable; andd. Where a purpose of the legal requirement for a signature is to provide assurance as to the integrity of the information to which it relates, any alteration made to that information after the time of signing is detectable.

4. Paragraph 3 does not limit the ability of any person:a. To establish in any other way, for the purpose of satisfying the requirement referred to in paragraph 1, the reliability of an electronic signature; orb. To adduce evidence of the non-reliability of an electronic signature. 5. The provisions of this article do not apply to the following: [...].”90

Moreover, Obviously, article 6 (1) considered the test to effectiveness on and electronic signature for reliability, Also, the specific provision on article 6 (3) (a) and (b) referred to identification of signatory. Similarly in Singapore provision, we can see the online transaction is a matter of identification.Singapore Electronic Transactions Act 1998 Article 13 (2) (a,b):

90 UNCITRAL Model law on Electronic Signatures 2001, Article 6: “http://www.uncitral.org/pdf/english/texts/electcom/ml-elecsig-e.pdf”

40


“(2) As between the originator and the addressee, an electronic record is deemed to be that of the originator if it was sent:

a. in order to ascertain whether the electronic record was that of the originator, the addressee properly applied a procedure previously agreed to by the originator for that purpose; orb. the data message as received by the addressee resulted from the actions of a

person whose relationship with the originator or with any agent of the originator enabled that person to gain access to a method used by the originator to identify electronic records as its own.”91

As result, if the parties have not had pervious meet each other and dealings, and “the recipient have no knowledge whether the public key correspond to the purported identity of the signatory”92, this is where the existence of ID Certification is necessary.

ID Certificate contains: 1- a copy of public key and 2- a statement that the issuer of the certificate has checked the identity of signatory.93 More over, the ID Certificate provides evidence from an independent third party that the person named in the corticated in fact have access to the unique certificate data.94

Certification of Identity requires a complex infrastructure to be in place and legal regulation concerns on the effective on that infrastructure.

CA’s, Certification Authority

ID Certificates are issued by a trusted organization. Generally, they are named are named as Certification Authority “CA”.The function of CA is binding the identity of a particular entity to a particular public key. In other word, CA issues ID certificate with a particular public key so that the recipient of the message can use the public key to verify the digital signature.

91 Singapore Electronic Transactions Act 1998,PART IV ,ELECTRONIC CONTRACTS, Article 13 (2) (a,b)92 Internet law , Chrees Reed, text and Materials, 2004, Page 14593 Ibid94 Ibid

41


The first step for the users to prove his identity to a CA organization, then that organization can link that identity with the user’s public signature key.95 The most important model of certificate is X.509. It contains:

1. Serial number2. Starting and Ending dates of validity for the certificate.3. Identity of holder4. Public key of user,

Moreover, the certificate may contain some more information about the users.96 Under ANNEX 1 of EC Directive for electronic signatures, there are some requirements for qualified97 certification:

Qualified certificates must contain:(a) an indication that the certificate is issued as a qualified certificate;(b) the identification of the certification-service-provider and the State in which it is established;(c) the name of the signatory or a pseudonym, which shall be identified as such;

95 Once the CA has secured evidence of identity and receives a copy of user’s public key, and ID Certificated is produced and sent electronically to the user.96American Bar Association , Digital Signature Guidelines, German Signature Law 2001 , Article 7 : “ A signature key certificate shall contain at least the following: 1. The name of the signature key owner, which much be marked with an additional notation if there is the possibility of confusion, or with an unmistakable pseudonym attributable to the signature key owner, which shall be identified as such; 2. the attributed public signature key; 3. the name of the algorithms with which the public key of the signature key owner as well as the public key of the certifier can be used; 4. the number of the certificate; 5. the beginning and end of the certificate's validity; 6. the name of the certifier; 7. information as to whether use of the signature key is limited to specific types and scopes of applications; and 8. information concerning associated certificates. Information concerning the power of representation for a third party may in particular be recorded in the signature key certificate or associated certificates” and Utah Digital Signature Rules (Rule 154-10 of the Utah Commerce, Corporation and Commercial Code.97 In the Directive terminology, a “qualified” certificate of electronic signature has the same legal effect as a handwritten signature.

42


(d) provision for a specific attribute of the signatory to be included if relevant, depending on the purpose for which the certificate is intended;(e) signature-verification data which correspond to signature-creation data under the control of the signatory;(f) an indication of the beginning and end of the period of validity of the certificate;(g) the identity code of the certificate;(h) the advanced electronic signature of the certification-service-provider issuing it;(i) limitations on the scope of use of the certificate, if applicable; and(j) limits on the value of transactions for which the certificate can be used, if applicable.98

If the certificate has issued from the a Certification Authority, which is already known to the recipient of signatory, whose the public key is in the possession of the recipient, the key can be check can be check the validity of certificate. The recipient will decrypt the certificate’s signature with the certificate authority’s public key, as a result, recipient has understood and has strong evidence that the certificate was issued by that CA. Identity Certificate usually will be issued with a limited period of validity which will be stated in the certificate.

CA’s LicenseOne of the important question when considering legal issues of CA’s is if CA’s would have to be licensed.99 CA’s could be establish by private sector and state authorities.

The persons relying on the ID certificate needs to trust to the issuing of CA, hence the recipient of the certificate can undertake with the signatory with confidence100. High standards and technical issues must 98 Directive 1999/93/EC on a Community framework for electronic signatures , OJ L13, p 12, 19 January 2000, ANNEX 199 Rosa Julia Barcelo, “Proposal for Directive establishing a common framework for electronic signatures: An overview” 1998. and see: The use and legal recognition of Digital Signatures in Electronic Commerce.” Dilimiti Evangelia , 2001

100 Generally European Commission ‘Ensuring Security and Trust in Electronic Communication- Towards a European Framework for Digital Signatures and Encryption’ COM (97) 157 final , 16

43


be supported by CA. Certification service provider’s should be allowed to offer their services without they have been required to obtain prior authentication. However, there is an issue which is “dealing with this matter by establishing voluntary accreditation system.”101

Accreditation must be regarded as a public service provider offered for certification service providers.

Accreditation:The reason for introducing accreditation was providing law enforcement, which as a condition of receiving accreditation; CA’s would be required to have a copy of all encryption which is used to ensure message confidentiality.102

The most important of being accredit for CA:1- Electronic signature are using a certificate form a accredited Ca,

given legal affect than other electronic signatures. However, CA is free to choose whether to be accredited or not. 103

However, the global ID Certificate infrastructure become an important part of the global communication infrastructure, hence any distribution in the system can become a big issue in the economic. As the result accreditation requirement for CA’s have a large volume of security for keeping identified information. Legislatures want to ensure that requirements are met. The EU framework Directive introduced some general principal which EU member stated must institud accreditation schemes, however it leaves to implement to national law. Accordingly, Article 3 of EU Directive for Electronic Signatures:104 “Article 3Market access1. Member States shall not make the provision of certification services subject to prior authorization.

April 1997.101 Internet law , Chrees Reed, text and Materials, 2004, Page 153102 UK department of Trade and Industry “licensing of Trusted Third parties for Provision of Encryption Services’ March 1997103 Internet law , Chrees Reed, text and Materials, 2004, Page 154104 Directive 1999/93/EC on a Community framework for electronic signatures , OJ L13, p 12, 19 January 2000

44


2. Without prejudice to the provisions of paragraph 1, Member States may introduce or maintain voluntary accreditation schemes aiming at enhanced levels of certification-service provision. All conditions related to such schemes must be objective, transparent, proportionate and non-discriminatory. Member States may not limit the number of accredited certification-service-providers for reasons which fall within thescope of this Directive.3. Each Member State shall ensure the establishment of an appropriate system that allows for supervision of certification service-providers which are established on its territory and issue qualified certificates to the public.4. The conformity of secure signature-creation-devices with the requirements laid down in Annex III shall be determined by appropriate public or private bodies designated by Member States. The Commission shall, pursuant to the procedure laid down in Article 9, establish criteria for Member States to determine whether a body should be designated.A determination of conformity with the requirements laid down in Annex III made by the bodies referred to in the first subparagraph shall be recognized by all Member States.5. The Commission may, in accordance with the procedure laid down in Article 9, establish and publish reference numbers of generally recognized standards for electronic-signature products in the Official Journal of the European Communities. Member States shall presume that there is compliance with the requirements laid down in Annex II, point (f), and Annex III when an electronic signature product meets those standards.6. Member States and the Commission shall work together to promote the development and use of signature-verification devices in the light of the recommendations for secure signature- verification laid down in Annex IV and in the interests of the consumer.7. Member States may make the use of electronic signatures in the public sector subject to possible additional requirements. Such requirements shall be objective, transparent, proportionate and non-discriminatory and shall relate only to the specific characteristics of the application concerned. Such

45


requirements may not constitute an obstacle to cross-border services for citizens.”Moreover, Under the Annex II, the requirements for certification service ,providers has been defined105.The Singapore legislation introduced similar accreditation.106 Some other legislation which enacted earlier, took more detailed about how to

105 ANNEX II of Directive 1999/93/EC on a Community framework for electronic signatures , OJ L13, p 12, 19 January 2000 ‘“Requirements for certification-service-providers issuing qualified certificates”Certification-service-providers must:(a) demonstrate the reliability necessary for providing certification services;(b) ensure the operation of a prompt and secure directory and a secure and immediate revocation service;(c) ensure that the date and time when a certificate is issued or revoked can be determined precisely;(d) verify, by appropriate means in accordance with national law, the identity and, if applicable, any specific attributes of the person to which a qualified certificate is issued;(e) employ personnel who possess the expert knowledge, experience, and qualifications necessary for the services provided, in particular competence at managerial level, expertise in electronic signature technology and familiarity with proper security procedures; they must also apply administrative and management procedures which are adequate and correspond to recognized standards;(f) use trustworthy systems and products which are protected against modification and ensure the technical and cryptographic security of the process supported by them;(g) take measures against forgery of certificates, and, in cases where the certification-service-provider generates signature creation data, guarantee confidentiality during the process of generating such data;(h) maintain sufficient financial resources to operate in conformity with the requirements laid down in the Directive, in particular to bear the risk of liability for damages, for example, by obtaining appropriate insurance;(i) record all relevant information concerning a qualified certificate for an appropriate period of time, in particular for the purpose of providing evidence of certification for the purposes of legal proceedings. Such recording may be done electronically;(j) not store or copy signature-creation data of the person to whom the certification-service-provider provided key management services;(k) before entering into a contractual relationship with a person seeking a certificate to support his electronic signature inform that person by a durable means of communication of the precise terms and conditions regarding the use of the certificate, including any limitations on its use, the existence of a voluntary accreditation scheme and procedures for complaints and dispute settlement. Such information, which may be transmitted electronically, must be in writing and in readily understandable language. Relevant parts of this information must also be made available on request to third-parties relying on the certificate;(l) use trustworthy systems to store certificates in a verifiable form so that:— only authorized persons can make entries and changes,— information can be checked for authenticity,

46


approach to accreditation. For example, Utah Digital Signature Rules107

and German Digital signature Ordiance 1997.108

Cross-certification, What is Public Key Infrastructure?As it was said above, trusted party109 or CA is required to avoid tampering with the public keys. Public Key Infrastructure has been introduced when recipient of the Electronic signature can not be confident or trust that the certificate may not have been issued to some one other than the named holler. Particularly, in an international environment, this is necessary for both parties who use different CA’s to know about each others authority and identity. The only solution for this issue which party can assess an unknown certification is by reference to a “certification practice statement”. This solution is that the two CA’s are certified by a third CA. Accordingly, Public Key infrastructure has been introduced, which that both CA’s certify each other’s public key.

In order to assess the level of trust between CA’s, these service providers must meet some legal requirements, such as security protocols and standards.In both Canada and Australia the government has introduced a PKI for the purpose of Electronic transaction with government. However, Certification Authorise is generally unregulated in most countries.Liability of Certification Authorities

— certificates are publicly available for retrieval in only those cases for which the certificate-holder's consent has been obtained, and— any technical changes compromising these security requirements are apparent to the operator.”106 Singapore Electronic Transactions Act 1998, S 42 : “ Regulation of certification Authorities, Regulation of certification authorities ,42. --(1) The Minister may make regulations for the regulation and licensing of certification authorities and to define when a digital signature qualifies as a secure electronic signature.” 107 Rules 154- 10 of the Utah Commerce, Corporations and Commercial Code, 1 November 1998.108 The Digital Signature Act 1997 “Signatureveronung”, art 19, in force 1 Novermber 1998.109 A Certified Protocol “lex” has trust party: “the confidence in a person or thing because of the qualities one perceives or seems to perceive in him or it”, To see more, Digital Signatures and the Public Key Infrastructure , S.M. van den Broek , Department of Econometrics , Faculty of Economics, Erasmus University Rotterdam

47


The most complicated issues has arries on the creation of PKI which the law should define the liabilities of the three parties. 1- the signatory, 2- the recipient who rely on the validity of message 3- the liability of CA. The scope for the liability of the CA is obiouse. The liability of the holder of an ID Certificate issued by the CA will arise if the certificate “contains inaccurate information or if the CA enable to have access to the private element of the holder’s signature key or disclose other private information.”110 Becase there is a contract between the issuing CA and holder and all the liability can be define on that contract, however, consumer protection in the EU and USA will protect consumers111. Moreover, most of the Electronic Signature acts in many countries have defined the CA’s liability. For example, the drafters of the Utah Act limits the liability of the CA’s.112

The most complicated issue of CA’s liability is for the recipient of the message who relies on an ID Certificate which contains incorrect information. In Common Law jurisdiction, it is “possible for the courts “to construct” a contract even if the relying party has no direct communications with the issuing CA.”113 The contract would be formed because the CA has made a “unilateral offer to the whole world”114, it suggest115 certain offer to any person who accept that offer by “undertaking the conduct require by that offer.” In the old English case Carlill V Carbolic Smoke Ball Co116., The defendants, advertised a medical preparation called "The Carbolic Smoke Ball," which they offered to pay 100 to any person who contracted the influenza after having used one of their smoke balls in a specified manner and for a period of time. The plaintiff trust the advertisement bought one of the balls, and used it in the manner and for the period specified, but

110 Internet law , Chrees Reed, text and Materials, 2004, Page 194111 See EC Directive on Unfair Terms in Consumer Contracts, Directive 93/13/EEC, OJ L 95, 21 April 1993 or UK Unfair Contract Terms Act 1977.112 More over, Sigapore Act, requires CA’s to specify a “recommended reliance limit, in any certificate that they issue. The use and legal recognition of Digital Signatures in Electronic Commerce.” Dilimiti Evangelia , 2001113 Ibid 109, page 161114 Ibid115 Ibid116 Carlill v Carbolic Smoke Ball Company [1893] 1 QB 256;

48


nevertheless he got the influenza. The court held that, the advertisement was an offer of a unilateral contract between the “Carbolic Smoke Ball Company” and anyone who satisfies the conditions set out in the advertisement. Once Mrs Carlill had satisfied the conditions she was entitled to enforcement of the contract; the notification of performance of the conditions formed part of the acceptance.117

How Electronic Signature Meet the Law’s Functional Requirement

Many international organizations have introduced material which is solving the issues of problems of authentication, non-repudiation and integrity of electronic message. Most of them are guideline or soft law, the only international law having legal effect is the European Union’s Electronic Signatures Directive. The first of these was the Utah Digital Signature Act of 1996 which was affected by the discussion which is leading to UNCITRAL Model Law on electronic commerce.118

initiatives international law, UNCITRAL and International Chamber of Commerce, have a significant effect among countries. The approach is taken by government refer to how they legislation can affect the infrastructure of the electronic commerce. For example some jurisdiction encourages people to use smart cards to carry public key119

while the others encourage to development of public key infrastructure.

The European Union has taken two approaches, similar to that of the UNCITRAL on electronic signatures.120

UNCITRAL model Laws - United Commission on International Trade

117 http://en.wikipedia.org/wiki/Carlill_v._Carbolic_Smoke_Ball_Company118 Ibid, Page 194119 For cryptography120 “The concept of the public key infrastructure framework is provided for concentrating function, rather than” UNCITRAL models. And some specific technology such as smart card seems to have envisaged. To see more, Electronic Signatures in Law, Stephen Mason, Lexis Nexsis , 2004, Page 103 ,

49


Two kinds of guideline have been set by UNCITRALL: The Model Law on Electronic Commerce and the Model Law on Electronic Signatures. These mode laws are intended to provide guideline for national state to use as a model in forming legislation. UNCITRAL is a body of United nation and it was introduced to harmonize electronic commerce law in national state.

The object of the Model Law on Electronic Commerce which is accompanying Guide to Enactment is as follows:

1. To introduce acceptable rules to the international community referring to electronic communications.

2. To introduce how obstacles to electronic commerce can be omit by legislators.121

3. To be a remedy while inadequate legislation creates obstacles to international trade.122

Obviously, Article 5 establishes the principal that electronic contract should not be treated any difference form paper document.123

Accordingly, Article 5 stated information shall not be denied validity or legal effect, because it is on the form of an electronic message.Aarticle 6124 has introduced the basic standard that an electronic contract must meet. It provides that an electronic message may satisfy a legal requirement for electronic information to be in writing.121 For example , it was stated: “The increased use of electronic authentication techniques as substitutes for handwritten signatures and other traditional authentication procedures has suggested the need for a specific legal framework to reduce uncertainty as to the legal effect that may result from the use of such modern techniques (which may be referred to generally as “electronic signatures”).” Chapter I. Introduction to the Model Law, Paragraph 3122 see more, Electronic Signatures in Law, Stephen Mason, Lexis Nexsis , 2004, Page 105123 UNCITRAL Model Law on Electronic Commerce (1996),Article 5. Legal recognition of data messages, “Information shall not be denied legal effect, validity or enforceability solely on the grounds that it is in the form of a data message” Article 5 bis. Incorporation by reference , (as adopted by the Commission at its thirty-first session, in June 1998) , “Information shall not be denied legal effect, validity or enforceability solely on the grounds that it is not contained in the data message purporting to give rise to such legal effect, but is merely referred to in that data message.”124 UNCITRAL Model Law on Electronic Commerce (1996), Article 6. Writing

1. Where the law requires information to be in writing, that requirement is met by a data message if the information contained therein is accessible so as to be usable for subsequent reference.

2. Paragraph (1) applies whether the requirement therein is in the form of an obligation or whether the law simply provides consequences for the information not being in writing.

3. The provisions of this article do not apply to the following: [...].

50


The stating point of electronic signature law is article 7. It specifies: 1. Where the law requires a signature of a person, that requirement

is met in relation to a data message if: a. a method is used to identify that person and to indicate that

person's approval of the information contained in the data message; and

b. that method is as reliable as was appropriate for the purpose for which the data message was generated or communicated, in the light of all the circumstances, including any relevant agreement.

2. Paragraph (1) applies whether the requirement therein is in the form of an obligation or whether the law simply provides consequences for the absence of a signature.

3. The provisions of this article do not apply to the following: [...].125

Article 7 are not seeking to establish a standard to be used for a Digital Signature. However, the article has referred the recognition of certain function of a signature in a paper base environment.126 It has established a basic standard of authentication127 between two parties. In other word “The objective was to establish general conditions under which data message would be regarded as authenticated with sufficient credibility for their purpose and would be enforceable in the face of signature requirements.”128 However, article 7 sets two general conditions under which electronic data can regarded as authentic and enforceable:

1- to identify the author of an electronic document 2- to confirm the author of the document approved the content of

the document.Moreover, there are two elements to this purpose:129

1- The first element set out in paragraph 1(a) introduce a method to be used to identify the signatory, and to indicate their approval of the signature or content of the document.

125 UNCITRAL Model Law on Electronic Commerce (1996), Article7126 Electronic Signatures Law and Regulation, Lorna Brazell, First Edition, Sweet & Maxwell , July 2003 , page 73127 For example, to identify a person.128 Ibid 31129 see more, Electronic Signatures in Law, Stephen Mason, Lexis Nexsis , 2004, Page 108

51


2- The second element has set out in paragraph 2(b), the method used to communicate people must be reliable and secure. And also, the guide line has set out a number of technical and legal standards that should be considered whether the method used was sufficiently reliable and appropriate. These conditions are:

“In determining whether the method used under paragraph (1) is appropriate, legal, technical and commercial factors that may be taken into account include the following:

1- the sophistication of the equipment used by each of the parties; 2- the nature of their trade activity; 3- the frequency at which commercial transactions take place

between the parties;4- the kind and size of the transaction; 5- the function of signature requirements in a given statutory and

regulatory environment; 6- the capability of communication systems; 7- compliance with authentication procedures set forth by

intermediaries; 8- the range of authentication procedures made available by any

intermediary; 9- compliance with trade customs and practice; 10- the existence of insurance coverage mechanisms against

unauthorized messages; 11- the importance and the value of the information contained

in the data message; 12- the availability of alternative methods of identification and

the cost of implementation; 13- the degree of acceptance or non-acceptance of the method

of identification in the relevant industry or field both at the time the method was agreed upon and the time when the data message was communicated; and

14- any other relevant factor.130

Model on Electronic Signatures130 Guide to Enactment , Para 58

52


The Model Law is based on the principals of Article 7 of the Model law on Electronic Commerce. The Model law is considering technical and legal effectiveness. It sets out a number of fundamental rules for the parties to an electronic signature (Signatory, Receiving party and CA Party).The Model Law has focused on the function of electronic signature in respect of public key cryptography. It implies that a trusted third party acts to certify identify of an entity.131

The Model Law provides some definitions in Article 2, These are as follows:

Electronic signature,132

Certificate:Article 2 (b) defines “Certificate” as: “Certificate” means a data message or other record confirming the link between a signatory and signature creation data;”The Guide to Enactment to the Model Law stated that Certificate has no difference from any other document. Certificate was introduced to recognize and confirm a link between the signature data and signatory. According to this definition, the link is created when the signature data is generated. However, this is not correct, because the link is created when the signature key is seeking for a certificate for verification key. This link will be created when it is using public key cryptography.133

Data message:Article 2 (c) defines “Data message” as: ““Data message” means information generated, sent, received or stored by electronic, optical or similar means including, but not limited to, electronic data interchange (EDI), electronic mail, telegram, telex or telecopy; and acts either on its own behalf or on behalf of the person it represents.”Clearly, the definition covers a broad range of data, such as records. Hence, the definition is included all forms of electronic documents, and 131 Electronic Signatures in Law, Stephen Mason, Lexis Nexsis , 2004, Page 110132 It was said above, see “electronic signature definition”133 Electronic Signatures in Law, Stephen Mason, Lexis Nexsis , 2004, Page 114

53


also the definition has considered the future developments in technology.134

Signatory:Article 2 (d) defines “signatory” as: “Signatory” means a person that holds signature creation data and acts either on its own behalf or on behalf of the person it represents;”The meaning of person refers to all types of person. For example: Corporate, individual, and any other form of legal party. It sets person can sign a document. In other word, a legal entity can sign the document. For example, under Iranian Commercial Code, the manager of company can sign any document with the impression of the seal.135

An electronic signature has been added to electronic data is a matter for the law which is governing the relation between parties.136

Certification service provider Article 2 (e) defines “Certification service provider” as:

“Certification service provider” means a person that issues certificates and may provide other services related to electronic signatures;”

As it was described above, the certification service provider should provide a certification, and also, it can provide other services. The definition indented to cover all activities of commercial provider of certification137.

Relying partyArticle 2 (e) defines “Relying party” as: “a person that may act on the basis of a certificate or an electronic signature.”The definition of “Relying party” meant to define the various parties involved in the transaction of electronic signature. Therefore,

134 Guide to Enactment, Paragraph 98-100.135 Iran Commercial Code, Article 223. “Besides bearing the signature of seal of the drawer, a Bill of Exchange must contain:…..” http://www.iranworld.com/Laws/ltr-r231.asp or as Stephen Mason referred: “in Lithuania, it is required by art 2.140 of the Civil Code that acts carried out by the legal entity are to be signed by the head of the organization and he seal is to be used to demonstrate approval of the act: 'Lithuania has enforced he right of "legal persons" to use electronic signatures', http://www.regija.lt136 Ibid 123.137 Ibid 134, Paragraph 104.

54


commentary suggests that the word ‘act: should be interpreted a positive action and also a failure to act. However this arise a discussion, because in some jurisdiction the word “act” would not cover the acts of failure.138 However, the meaning of word “act” must be interpret under article 4.Article 4, interpretation “1. In the interpretation of this Law, regard is to be had to its international origin and to the need to promote uniformity in its application and the observance of good faith.2. Questions concerning matters governed by this Law which are not expressly settled in it are to be settled in conformity with the general principles on which this Law is based.”139

The Model Law with considering that both sender and receiver parties to be aware of the risks and limitation for using of electronic signature, the comments in the Guide to Enactment, stated that the recipient must notice that he is responsible to rely on that certificate.140

The European Union: Electronic Signatures Directive

The European Parliament and Council on 13 December 1999 and came into force on 19 January 2000. Member states required to implement the directive one year later141. An review of the Directive has been prepared and it has delivered to Parliament and the Council by 19 July 2005142.

Aim of the DirectiveThe aim of the Directive is to facilitate the use of electronic signature. And also it gives the general acceptance of the new technologies.

138 UNCITRAL Model Law on Electronic Signatures with Guide to Enactment 2001,Article 11. Conduct of the relying party, A relying party shall bear the legal consequences of its failure:(a) To take reasonable steps to verify the reliability of an electronic signature; or(b) Where an electronic signature is supported by a certificate, to take reasonable steps:

(i) To verify the validity, suspension or revocation of the certificate; and(ii) To observe any limitation with respect to the certificate.

139 UNCITRAL Model Law on Electronic Signatures with Guide to Enactment 2001,Article 4140 Ibid 137, paragraph 148141 Article 13 (1)142 Article 12(1) http://euopa.eu.int/informatuon_society/eEurope/2005/Index_en.html

55


Hence, it assists the use of electronic signature across the European Union143.

This aim will be achieved by:

Ensuring certification authorities are free to provide their services without requiring prior authorization in a member state; 144

Providing a common legal framework for the recognition145, although the provision of the directive do nor prevent parties to make private contract under Harmonized criteria which means that the Directive sets out some restriction in national law for harmonization.

Moreover, the Directive seems to be technologically neutral.146

The legal recognition of the Directive:The Direcitve sets two types for electronic signature:

1. An electronic signature2. An advance electronic signature147.

There is a difference the two type of electronic signature.Directive has define electronic signature as: “Article 2, definitions ‘electronic signature’ means data in electronic form which are attached

143 Article 1,Scope , “The purpose of this Directive is to facilitate the use of electronic signatures and to contribute to their legal recognition. It establishes a legal framework for electronic signatures and certain certification-services in order to ensure the proper functioning of the internal market.”144 Recitals: 10 and 12 , Electronic Signatures in Law, Stephen Mason, Lexis Nexsis , 2004, Page 119 145 Recital: 16 “This Directive contributes to the use and legal recognition of electronic signatures within the Community;” and Recital 20 “Harmonized criteria relating to the legal effects of electronicsignatures will preserve a coherent legal framework across the Community; national law lays downdifferent requirements for the legal validity of handwritten signatures; whereas certificates can be used to confirm the identity of a person signing electronically; advanced electronic signatures based on qualified certificates aim at a higher level of security; advanced electronic signatures which are based on a qualified certificate and which are created by a secure-signature-creation device….”146 Recital 8: “Rapid technological development and the global character of the Internet necessitate an approach which is open to various technologies…..”147 The Directive illustrates a step towards smart cards. Article 2(2)(c)

56


to or logically associated with other electronic data and which serve as a method of authentication…”This definition are so wide enough to permit secret code (PIN and biometric) in electronic format to be considered as an electronic signature. The definition in article 2 does not determine what data is meant to be authenticated, however, it stated electronic signatures provides for a method of authentication.Under article 2, the definition of “Signature-verification-data” describes a link between entities under the terms of a protocol. A link can be made between different sets of data but it is not capable of linking the data with the entity, nor is it possible to confirm the identity of entity.148

Article 2 (7) : “signature-verification-data’ means data, such as codes or public cryptographic keys, which are used for the purpose of verifying an electronic signature;”

Under article 5 (2) signature can be used as an evidence if it complies with the definition of article 2(1). Article 5(2): Member States shall ensure that an electronic signature is not denied legal effectiveness and admissibility as evidence in legal proceedings solely on the grounds that it is:

— in electronic form, or— not based upon a qualified certificate, or— not based upon a qualified certificate issued by an accreditedcertification-service-provider, or— not created by a secure signature-creation device.

In order to contribute to the general acceptance of electronic signature, the provisions of recital 21 require and electronic signature can be used as evidence in legal proceedings.149

The Advance Electronic Signature: The definition of an advance electronic signature has significant difference with an ordinary electronic signature. It is complicated and it has elaborate structure.

148 Electronic Signatures in Law, Stephen Mason, Lexis Nexsis , 2004, Page 121149 Recital 21.

57


It is define in article 2(2) in the form “of characteristics relating to performance”:150

“‘advanced electronic signature’ means an electronic signature which meets the following requirements:(a) it is uniquely linked to the signatory;(b) it is capable of identifying the signatory;(c) it is created using means that the signatory can maintain under his sole control; and(d) it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable;It seems article 2(2)(c) the definition has pointed out that an advance electronic signature can be existed in hardware format which an individual can control it. An Advance electronic signature can be created by utilizing the public key infrastructure and qualified certificated form a certification-service-provider.The legal effect of an Advance electronic signature is more than an ordinary electronic signature. Article 5(1) “Legal effects of electronic signatures” has stated: 1. Member States shall ensure that advanced electronic signatures which are based on a qualified certificate and which are created by a secure-signature-creation device:(a) satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data; and(b) are admissible as evidence in legal proceedings.

Accordingly, an advance electronic signature required a qualified certificate which is defined under article 2(10).151

An Advanced electronic signature must be created by a secure signature creation device. The requirement for that device is defined under ANNEX III.152

150 Consultation Document on the implementation of the EU Electronic Signatures Directive, Murch 2001, Paragraph 23.151 Article 2 (10) : ‘qualified certificate’ means a certificate which meets the requirements laid down in Annex I and is provided by a certification-service-provider who fulfils the requirements laid down in Annex II;152 ANNEX III, Paragraph 1, Requirements for secure signature-creation devices,

58


Clearly, the Directive does not want to change the powers of national court regarding the rules on the directive. Hence, national court can have own definition about evidence. However, Article 5(1) stated an advance electronic signature can be satisfied the same requirements of hand-written signature.

The Electronic Communications Act 2000

The first draft of the bill was published in July 1999. The Electronic Communication Act received the Royal Assent on 25 May 2000.153

The act has three parts:1. “Cryptography service providers.2. Facilitation of electronic commerce, data storage.3. Miscellaneous and supplemental.”154

Part 2 of the act is dealing with legal recognition of electronic signatures. The act implements some of the provisions of the directive.155

The act provides a definition of an electronic signature in section 7(2). The definition has additional feature than what is stated in the definition of Directive.Section 7(2),: “For the purposes of this section an electronic signature is so much of anything in electronic form as:

(a)is incorporated into or otherwise logically associated with any electronic communication or electronic data; and

(b) purports to be so incorporated or associated for the purpose of being used in establishing the authenticity of the

Secure signature-creation devices must, by appropriate technical and procedural means, ensure at the least that:(a) the signature-creation-data used for signature generation can practically occur only once, and that their secrecy is reasonably assured;(b) the signature-creation-data used for signature generation cannot, with reasonable assurance, be derived and the signature is protected against forgery using currently available technology;(c) the signature-creation-data used for signature generation can be reliably protected by the legitimate signatory against the use of others.

153 Electronic Signatures in Law, Stephen Mason, Lexis Nexsis , 2004, Page 128154 Ibid.155 Ibid Page 129.

59


communication or data, the integrity of the communication or data, or both.156

Under the act, electronic signature does not have the same characteristics as a manuscript signature. Clearly, the definition of electronic signature under the Act does not attempt to get legal effect of manuscript signature.Establishing the authenticity or the integrity of the communication or data has been defined in the act. Accordingly, the act has determined additional integrity which is not defined in Article 2 of the Directive. However, the word of authentication has two meaning in the context of electronic signature.157 In the context of the act it refers for verifying the identity of a person or entity. Section 15(2) has stated: “(2) In this Act:(a) References to the authenticity of any communication or data are references to any one or more of the following-

(i) whether the communication or data comes from a particular person or other source;(ii) whether it is accurately timed and dated;(iii) whether it is intended to have legal effect;”

One of the most important part of an electronic signature law is admissible in evidence. In the act there is no phrase like what is stated in the Directive “legal effectiveness.” More over, it does not follow that the communication will have a legal effect.The section 7 leaves the question of evidential issue of signature to the courts. Where parties determine by contract, what electronic communication are to be treated, the court will not interfear. Section 7(1) stated: “In any legal proceedings:

(a)an electronic signature incorporated into or logically associated with a particular electronic communication or particular electronic data, and

156 The Electronic Communications Act 2000, Section 7(2), Facilitation of Electronic Commerce, Data, Storage, Ets.157 “One refers to the authentication of the origin of the data, whilst the other verifies the identity of a person or entity. Fred Piper and Sean Murphy , Cryptography: A very short Introduction ,2002, page 92. see, Electronic Signatures in Law, Stephen Mason, Lexis Nexsis , 2004, Page 128

60


(b) the certification by any person of such a signature,shall each be admissible in evidence in relation to any question as to the authenticity of the communication or data or as to the integrity of the communication or data.

However, under section 7(1)(b) the authenticity of the communication or data can be admissible where any person certifies the signature.

Conclusion:

The purpose of this paper has been to make clear to what extent electronic signatures is important in developed and developing countries for enhancing Electronic commerce in these countries. Digital Signatures is a key factor for developing e-commerce and create new economic opportunities for countries.

Hence, the creation of a global legislative framework is necessary in order to protect parties involved in electronic commerce.

With increasing electronic commercial activities on the internet between national states, obviously, one of the current legal issues to be discussed in laws and legislative proposal is how to authenticate and verify the identity of people. People need to trust each other to have liberalized trade. Hence, businessmen will increasingly require their customers to identify themselves by ID certificate issuers. It must be noted that electronic signature still needs to be more secure from technological point of view, but at present digital signature can be considered as the most secure method of authentication of documents.

E-commerce policy makers must provide some legal regime in order to apply secure digital signatures on a global level in order to promote e-commerce.

61


Bibliography:

Definition of SignatureOxford English Dictionary

Definition of Signaturehttp://www.answers.com/topic/signature

62


Definition of Signature Webster dictionaryhttp://www.webster-dictionary.net/definition/signature

Articles and Website:

What is a Signature? Chris Reed, http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2000_3/reed/http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2000_3/reed/footnotes/

Public Key Infrastructure Digital Signatures and Systematic Risk, Jamie Murray , http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2003_1/murray/

Electronic Signatures and Associated Legislationhttp://www.dti.gov.uk/industries/information_security/electronic_signatures_associated_legislation.html

Signature Stripping: A Digital Dilemma, Adrian McCullagh, http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2001_1/mccullagh/

Why use Digital Signatures for Electronic Commerce? John Angel , http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1999_2/angel/

Public Key Infrastructure Digital Signatures and Systematic Risk ,Jamie Murray, http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2003_1/murray/

63


Christina Spyrellihttp://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2002_2/spyrelli/

Proposals for a European Parliament and a Council Directive on a Common Framework for Electronic Signatures´ (98/0191)Alistair Kelman , http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1998_3/kelman/

Proposals for a European Parliament and a Council Directive on a Common Framework for Electronic Signatures´ (98/0191) Alistair Kelman

Defining Electronic Authenticity: An Interdisciplinary Journey ,by Jean-François Blanchette

Digital Signatures, Certificates and Electronic Commerce, Brian Gladman, Carl Ellison , Nicholas Bohm

A Method for Obtaining Digital Signatures and Public Key Cryptosystems, R. L. Rivest, A. Shamir, and L. Adleman

Digital Signature Regulation and European Trends, Alexander Rossnagel

Electronic Signatures: A Transatlantic Bridge? An EU and US Legal Approach Towards Electronic Authentication, Christina Spyrelli

Electronic Signatures and Associated Legislation, DTI

64

http://www.telepathic.com/biogs/





http://www.dti.gov.uk/industries/information_security/electronic_signatures_associated_legislation.html

An Analysis of International Electronic and Digital Signature Implementation Initiatives,Morrison & Foerster LLP, Chris Kuner, Rosa Barcelo, Steptoe & Johnson LLP

The regulation of Electronic Commerce learning from the UK's RIP act 2/10/2000

E-Signatures - Legal Issues , Paul Motion

Legal Aspects of Electronic Contracts, 6 June 2000 , Michael Gisler , Katarina Stanoevska-Slabeva, Markus Greunz

Legal Aspects of Digital Signatures and Non-Repudiation, Ilja Ponka

Digital Signatures and the Public Key Infrastructure, S.M. van den Broek

Signatures: an Interface between Law and Technology, Ben Laurie ,Nicholas Bohm

Legislating to facilitate electronic signatures and records: Exceptions, Standards and the impact on the statute Book,MARK SNEDDON, http://www.austlii.edu.au/au/au/other/unswlj/thematic/1998/vol21no2/sneddon.html

Online Contracts And Electronic Signatures, Nick James

65


JOINT IDA-AGC REVIEW OF ELECTRONIC TRANSACTIONS ACT STAGE II: EXCLUSIONS UNDER SECTION 4 OF THE ETA, http://www.agc.gov.sg/pub_speech/Consultation%20Paper(StageII)(25.6.04).pdf

Electronic Contracts Under Canadian Law—A Practical Guide, Bradleyj . Freedman

DIGITAL SIGNATURES: CAN THEY BE ACCEPTED AS LEGAL SIGNATURES IN EDI? Patrick W. Brown

http://www.cl.cam.ac.uk/users/jgd1000/sampleiris.jpg

"Biometric-Advanced Identity Verification", Julian Ashbourn (2000), p. 52, Springer-Verlag London Ltd.http://bias.csr.unibo.it/research/biolab/bio_tree.html

R. Anderson, "Security Engineering", (2001) John Wiley & Sons, Inc. p. 265.

http://www.britannica.com/eb/article-9034291?query=fingerprint&ct=

http://www.britannica.com/eb/article-9034291?query=fingerprint&ct= and

http://en.wikipedia.org/wiki/Fingerprint

www.finger-scan.com

http://biometrics.cse.msu.edu/hand_geometry.html By Arun Ross and Anil Jain

http://bias.csr.unibo.it/research/biolab/bio_tree.html

http://et.wcu.edu/aidc/BioWebPages/Biometrics_Keystroke.html

http://www.britannica.com/eb/article-9030731?query=DNA%20matching&ct= and http://en.wikipedia.org/wiki/DNA_typing

66

http://et.wcu.edu/aidc/BioWebPages/Biometrics_Keystroke.html

http://en.wikipedia.org/wiki/Fingerprint

http://www.britannica.com/eb/article-9034291?query=fingerprint&ct

http://bias.csr.unibo.it/research/biolab/bio_tree.html

http://www.cl.cam.ac.uk/users/jgd1000/sampleiris.jpg


Fujitsu Laboratories Ltdhttp://pr.fujitsu.com/en/news/2002/08/28.html

Biometric recognition: techniques, applications and challenges , Anil K. Jain, Arun Ross

Keystroke Dynamics as a Biometric for Authentication, Fabian Monrose, Courant Institute of Mathematical Sciences, New York University, New York, NY., and Aviel D. Rubin, AT&T Labs - Research, http://www.cs.jhu.edu/~fabian/papers/fgcs.pdf

Rosa Julia Barcelo, “Proposal for Directive establishing a common framework for electronic signatures: An overview” 1998

Generally European Commission ‘Ensuring Security and Trust in Electronic Communication- Towards a European Framework for Digital Signatures and Encryption’ COM (97) 157 final , 16

American Bar Association , Model Electronic Data Interchange Trading Partner Agreement ( Chicago : American Bar association , 1990

Dissertation: “in pace with the new Technologies: Electronic and handwritten signatures, a functional equivalent approach that needs International harmonization”. Khajdoun Nazer 12/9/2000

Dissertation: The use and legal recognition of digital signature in electronic commerce” Dilimiti Evangelia 13/9/2001

Laws

Statutory Instrument 2002 No. 318, The Electronic Signatures Regulations 2002

67

http://www.cs.jhu.edu/~fabian/papers/fgcs.pdf

http://pr.fujitsu.com/en/news/2002/08/28.html


Electronic Communications Act 2000 ,

German Digital Signature Law (SigG) ,Final Version, June 13, 1997, http://www.kuner.com/data/sig/digsig4.htm

Singapore Electronic Transactions Act 1998,

The Digital Signature Act 1997, German. “Signatureveronung”

The Utah Commerce, Corporations and Commercial Code, 1 November 1998.

EC Directive on Unfair Terms in Consumer Contracts, Directive 93/13/EEC, OJ L 95, 21 April 1993

UK Unfair Contract Terms Act 1977

Iran Commercial Code, Article 223

Cases

Carlill v Carbolic Smoke Ball Company [1893] 1 QB 256;

Entores Ltd v Miles Far East Corp, 1955 2 QB 327

Jenkins v. Gaisford & Thring 1863) 3 Sw. & Tr. 93

eq L’Estrange v F Graoucob Ltd [1934] 2KB 394 at 403, per scrutton LJ.

Actionstrength Ltd v International Glass Engineering 1n.Gl.En.

Bennett v Brumfitt; 1867 L.R. 3 C.P. 28.

68

http://www.kuner.com/data/sig/digsig4.htm


Newborne v Sensolid [I996]2 All E.R

BOOKs

Electronic Signatures in Law Stephen Mason, LexisNexis UK , - November 1, 2003

Electronic Commerce Law and Practice, Thirds Edition Micheal Chissick and Alistair Kelman, 2001

Electronic Signatures: Authentication Technology from a Legal Perspective v. 5 (Information Technology & Law S.) , M.H.M. Schellekens , Asser Press - August 12, 2004 Cambridge

Electronic Signatures: Law and Regulation (Special Reports) Lorna Brazell ,Sweet & Maxwell , August 7, 2003

UNCITRAL Model Law on Electronic Signatures with Guide to Enactment 2001 United Nations , July 25, 2002

E-commerce: a guide to the law of electronic Commerce, Hammond Suddards Edge, October 1, 2002

Internet Law: Text and Materials, Chris Reed, October 7, 2004

69

Date post:	02-May-2018
Category:	Documents
Upload:	vokhanh
View:	216 times
Download:	0 times

Introduction - Welcome to Armer Funeral Home, Inc | Armer …kavehh.com/my Document/Essex/Digital...

Documents